The article mentions Telnet login credentials about halfway through. Is that honestly what's happening? I'd assumed it was at least SSH logins being abused on the systems.
Its the fact that there is no market here- people do not know and will never know what they actually buy wit a IOT Device. They can not evaluate quality, and noone is liable for the risks.
I guess some citys will have to get the plague first, before the governments quarantining is accepted.
Warning - watching this may readjust your faith in humanity. Telnet is just the tip of the iceberg.
edit: (15:42) "Econolite [stoplights] listening on telnet. There are intersections [with] stoplights; you can telnet into them and put them in 'test mode'[sic], and the warning says, 'Don't do this, you could kill people!'"
I hope we start to see some pretty strong regulation around what type of computer can be put inside of non-standard computing device, and guidance and regulation on how it must be secured and updated. I work in city tech specifically around IoT and I'm incredibly worried about where all of this is going, cities DDoSing themselves in critical infrastructure points sounds pretty annoying.
This: https://news.ycombinator.com/item?id=14247715 -- But also, there is no need to put a computer with a huge amount of resource in say, a baby bottle that can tell an app what temperature the milk is. In theory you could do a lot more (or at least different) damage with a P5 than a 486. The IoT stuff is usually cobbled together components, so we'll see things like a 500gig HD on a device (such as an environmental sensor for a city intersection) that passes off data and at most needs a couple gigs for OS and cache stuff. It's harder to start installing stuff on devices that are at the minimum specs for what they are designed to do. I'm not sure if that makes sense but I'm pretty sure there is some logic in there somewhere. Correct me if I'm wrong. it was just a thought. :)
Though I quite agree with you, I think the quality of engineering work is a different issue than we're discussing here. At least I hope we aren't proposing government enforcement of these sorts of engineering best practices.
I think we should forget about regulating the implementation details for IoT devices, and instead mandate insurance, such that manufacturers become financially responsible for attacks committed using their hardware.
I'm almost certain that an excise tax on IoT devices proportional to how much damage they can do, combined with giving white hats legal immunity to hack devices as well as being paid a part of the device-tax, will be both more effective and cheaper than having politicians write detailed laws on software security.
If a company wants to drill into the ground looking for oil, and we know that this company can't pay the bill if things go wrong, we force them to pay an insurance premium/excise tax that covers the potential cleanup work. Of course we should do the same for devices that can be weaponized in this manner.
For example: a tax of 1 cent/mbit/s of network throughput, where 10% goes to administration costs, and 90% is paid out to white hats who are able to penetrate the device and display a "defective device; return to <local device-drop-off office>" message on the screen.
Proportional to how much damage they can do doesn't seem like a possible/reasonable measure. Should every car manufacturer now be responsible for insuring the cost of every car on the road causing a synchronized collision around the world? Should airplane manufacturers have to be insured for every airplane being in the sky, full of VIPs, and dropping onto the X most expensive buildings on earth, also full of prized possessions and more VIPs?
About giving white hats legal immunity to hack devices and be paid. How do you determine who is a white hat? Why wouldn't every black hat attempt to play the part of a white hat, gaining free range to play around with a system without any legal concerns. And if they find a crippling vulnerability, being able to sell it in a black market / partner with other black hats, and pretend they found nothing?
Those of us that worked in regulated industries (health, nuclear, etc.) had to do that for a long time now, at least based on my experience in Germany.
If your system has the potential to bring down the entire airfleet you sold, yes, you're on the hook for that event. Try building systems that are resilient in the face of failure, make that case to the insurer, premiums will go down.
I'm tired of the argument "well, we can break A LOT of shit in one go, so we shouldn't be held liable for our sloppiness". It's "too big to fail" in disguise.
It doesn't seem that clear cut to me, from what I see insurance liabilities in the US and throughout Europe are capped at a dollar amount or up to the corporate equity, not the full damage costs. Nuclear disasters like
Fukushima or Chernobyl have cost estimates that are each well over $200 billion. What insurance policy or company can foot that bill?
I think the difference is that the types of problems caused are kind of second-order effects based on co-ordination, rather than individual actions that each device is taking that is 'bad'.
So yes, air plane manufacturers might have insurance to cover them for all of their planes being down, but it's probably limited to the first-order damages of all of the planes being down, rather than the potential extra due to the fact they are all down at the same time.
e.g. If I own a mail-order business and I ship my stuff via air (with no contracts in place etc.), and suddenly no air planes can fly, so my business folds, I probably can't sue the air plane manufacturers.
In a similar way, the individual 'damages' that are attributed in a DDOS attack are due to the coordinated nature, rather than each device doing actual harm/damage.
Yes, second-order effects are harder to insure against, because the actuarial computations are harder. But introduce liability for the issue, and insurance will follow.
"It's hard to do things right" is not an excuse for not doing them right.
Car drivers are currently required to carry insurance against the damage they might do to third parties, although there's usually a (high) cap on the amount.
I don't see why self-driving cars shouldn't be required to be insured either.
Can you clarify what you mean by "type of computer"? I hope you don't mean we should see regulation that say ARM 32 bit devices are fine for IoT, but TI 8 bit devices cannot be used. This vulnerability doesn't seem dependent on any particular type of computer. It's mostly due to default router passwords and open ports, which I agree points to the need for guidance and regulation on how systems are secured and updated
I think GP is talking more about software than hardware. Most of today's IoT devices are intentionally crippled general-purpose computers. The only thing that's preventing them from doing everything a general-purpose computer can do, like running a different OS or attacking random websites, is the pre-installed software (often called firmware).
In this case, we might say that the manufacturer has a much stronger responsibility to keep their devices under control than in the case of, say, a typical PC where the user assumes more of that responsibility. The less freedom you give your users, the more power you reserve for yourself. That power should come with corresponding responsibilities.
For example:
- Mandatory security auditing of all pre-installed software
- Mandatory security updates for X years
- Mandatory insurance for damages caused by vulnerabilities in your products
Allow some of these requirements to be met by reusing previously audited and/or independently maintained software, giving manufacturers an incentive to stick with well-tested standard components. Waive some or all of the requirements if the device is allowed to be used as a general-purpose computer and/or all the software is freely available.
Best case scenario: we get routers and TVs labeled "Red Hat Embedded Linux inside: security updates guaranteed for 10 years."
> Best case scenario: we get routers and TVs labeled "Red Hat Embedded Linux inside: security updates guaranteed for 10 years."
As long as the industry is allowed to come to these SLA-like stamps on their own, on a per product basis, without government regulation breathing down their neck, this is exactly the way to go. IoT is so wide, there is no such thing as a "one size fits all". Any talk about across the board rules stinks of missing this obvious reality.
But also, there is no need to put a computer with a huge amount of resource in say, a baby bottle that can tell an app what temperature the milk is. In theory you could do a lot more (or at least different) damage with a P5 than a 486. The IoT stuff is usually cobbled together components, so we'll see things like a 500gig HD on a device (such as an environmental sensor for a city intersection) that passes off data and at most needs a couple gigs for OS and cache stuff. It's harder to start installing stuff on devices that are at the minimum specs for what they are designed to do. I'm not sure if that makes sense but I'm pretty sure there is some logic in there somewhere, but correct me if I'm wrong.
Custom designs used to make sense when general-purpose computers were expensive.
Nowadays, it's cheaper to stick a generic ARM SoC in your product and install a LAMP stack on it. It's also easier to find cheap developers that way. My router is just a bunch of CGI scripts running on an outdated Linux distro.
The problem is that gov't is extremely bad at regulating computers/Internet because half of them never used email and the other half if is paid by big interest groups.
This seems like a good thing in theory... but if it's all all successful, where goes the inventive for manufacturers to be more careful about their code?
Why should they make secure code if it's just going to be fixed for them?
Also, where's the incentive for lawmakers to regulate IoT security if less people are affected?
I think the general idea is more "they're not fixing it and there is no incentive, and while we wait and see if there is, botnets are spinning up huge DDoS attacks on demand, plus much much more."
The vigilante concept implies some known disregard or dismissal for the current law/powers that be for whatever reason the vigilante is motivated by. Add in the vast number of products made in jurisdictions where regulations aren't well enforced or can be circumvented easily, and soon it starts to look a bit dire to wait for the proper authorities to work.
I don't really know what to think about the Hajime botnet, but their motives are pretty easily understood.
But they are fixing it. And there is incentive. People are just upset that it isn't happening faster, so they clamor for more incentive. IoT is a new born baby in an industrial filled with 3 year olds. I guarantee in 100 years, we all will seem bumpkins developing the WORST ideas of security.
It probably doesn't help that seemingly everyone is slapping a SoC into anything that has electricity, spending 0 time/effort to harden the device, providing little to no guidance to end-users on best security practices then pushing them out as fast as they can be manufactured at a fat markup.
I recently saw an IoT room humidifier... Really?! How badly do you need to humidifier your (presumably unoccupied) room remotely? My garage door opener was internet-capable until I disable it. Some objects having remote accessibility makes sense but a lot of it is wow-factor marketing.
Just because you can't see a use for a connected device does not mean the use doesn't exist. And given the amount of time, energy and money that goes into developing any manufactured product, it doesn't happen on accident.
There is a large market of people who have property too large to spend walking around all day turning on and off devices to keep everything copacetic. Simple, arguably stupid, devices with IoT capability can greatly reduce this. Then you move into any application slightly larger than a personal home and the power of managing all these devices with software at scale becomes immense.
Specifically for the IoT room humidifier, I've seen such things in labs studying bugs or other exotic life that needs proper controls. These labs are setup by scientists who are just trying to get the conditions ideal and keep them that way and becomes an interesting mix of industrialized equipment and odd one-offs like a connected humidifier.
Anyone who has played Pandemic 2, or similar games where you control a virus intent on killing all humans, knows that the most effective strategy is to spread as far as possible with as little symptoms as possible before mutating into a killing machine. Apparently Hajime has update capabilities, so perhaps it is too soon to call the creators vigilantes?
That's true, and a lot of effort is being poured into it.
I hope that this activity is being sponsored by victims of botnets or their governments to reduce malicious infections, since the Internet of $#!^ has no incentive. This may be the best case scenario.
You describe the worst case scenario. I hope you're wrong, but only time will tell.
This is a great point. While reading this, I thought it was Miari 2.0, but was pleasantly surprised to read that the creator(s) works as a benevolent vigilante. If (one of) the botnet creator(s) decides to become malicious, it will have a large network at it's disposal.
If I really had to guess who was behind this I would guess it is the kid who was behind Mirai because of the similarities between the two.
Seems like his unmasking by krebsonsecurity must have scared the crap out of him and he's now realized how stupid his pursuits were. May also be trying to find a way to lower the impending charges that will likely come.
Plus, if his motivation was to take over other botnets, to earn some hacker street cred then what better way to win the ultimate battle by making sure no one else can hack into these devices again?
I'm disappointed with the media praising the actions of this IOT virus. Why do we have any reason to trust them? Articles should really be focusing on how these vulnerabilities are extremely dangerous, and that this should be a wakeup call for the introduction of stringent IOT standards
Certain parts of the list of subnets avoided by Hajime strikes me as rather interesting...
Some countries:
- Ukraine; Region Vinnyts’ka Oblast’ /16
- Iran, Islamic Republic of; Region Tehran /16
- Germany Virtela Communications Inc Amsterdam, NL POP /16
- South Africa; Region Gauteng /16
Then:
- General Electric's /8
- both Hewlett-Packard's /8
- US Postal Service's /8
and finally all of the US Department of Defence (obviously)
I would have thought HP would be a goldmine seeing as they put anything and everything on public, proxied IP's. And why not avoid Xerox, Apple, and CIA subnets too while you're at it?
48 comments
[ 4.5 ms ] story [ 107 ms ] threadI guess some citys will have to get the plague first, before the governments quarantining is accepted.
And an article on how bad it is: http://www.networkworld.com/article/3143133/security/iot-sec... (98 seconds to being infected after exposing it to the internet)
> The correct mitigation, Graham said, is to “put these devices behind your firewall” because “many of the Mirai passwords can’t be changed.”
No, the correct mitigation is to not have one of those devices.
You don't buy a rotten apple, and then store it on your kitchen table, because "it's fine because it's sealed in a plastic bag".
https://www.youtube.com/watch?v=5cWck_xcH64
Warning - watching this may readjust your faith in humanity. Telnet is just the tip of the iceberg.
edit: (15:42) "Econolite [stoplights] listening on telnet. There are intersections [with] stoplights; you can telnet into them and put them in 'test mode'[sic], and the warning says, 'Don't do this, you could kill people!'"
This article is about Hajime, a sophisticated trackerless BitTorrent-backed botnet with resillience and stealth functionality. Self-professed greyhat.
Still relevant to this discussion, though.
More likely fatal, or at least very costly.
To expand: there was the recent[0] attack on Dallas' tornado alarm. Imagine that was a disabling attack ahead of a tornado instead.
[0]: https://www.theregister.co.uk/2017/04/13/dtmf_replay_phreake...
What does "type of computer" mean? And why would this need regulation (are some "types of computers" less secure than others)?
I'm almost certain that an excise tax on IoT devices proportional to how much damage they can do, combined with giving white hats legal immunity to hack devices as well as being paid a part of the device-tax, will be both more effective and cheaper than having politicians write detailed laws on software security.
If a company wants to drill into the ground looking for oil, and we know that this company can't pay the bill if things go wrong, we force them to pay an insurance premium/excise tax that covers the potential cleanup work. Of course we should do the same for devices that can be weaponized in this manner.
For example: a tax of 1 cent/mbit/s of network throughput, where 10% goes to administration costs, and 90% is paid out to white hats who are able to penetrate the device and display a "defective device; return to <local device-drop-off office>" message on the screen.
Proportional to how much damage they can do doesn't seem like a possible/reasonable measure. Should every car manufacturer now be responsible for insuring the cost of every car on the road causing a synchronized collision around the world? Should airplane manufacturers have to be insured for every airplane being in the sky, full of VIPs, and dropping onto the X most expensive buildings on earth, also full of prized possessions and more VIPs?
About giving white hats legal immunity to hack devices and be paid. How do you determine who is a white hat? Why wouldn't every black hat attempt to play the part of a white hat, gaining free range to play around with a system without any legal concerns. And if they find a crippling vulnerability, being able to sell it in a black market / partner with other black hats, and pretend they found nothing?
Those of us that worked in regulated industries (health, nuclear, etc.) had to do that for a long time now, at least based on my experience in Germany.
If your system has the potential to bring down the entire airfleet you sold, yes, you're on the hook for that event. Try building systems that are resilient in the face of failure, make that case to the insurer, premiums will go down.
I'm tired of the argument "well, we can break A LOT of shit in one go, so we shouldn't be held liable for our sloppiness". It's "too big to fail" in disguise.
http://www.theecologist.org/blogs_and_comments/commentators/...
So yes, air plane manufacturers might have insurance to cover them for all of their planes being down, but it's probably limited to the first-order damages of all of the planes being down, rather than the potential extra due to the fact they are all down at the same time.
e.g. If I own a mail-order business and I ship my stuff via air (with no contracts in place etc.), and suddenly no air planes can fly, so my business folds, I probably can't sue the air plane manufacturers.
In a similar way, the individual 'damages' that are attributed in a DDOS attack are due to the coordinated nature, rather than each device doing actual harm/damage.
"It's hard to do things right" is not an excuse for not doing them right.
I don't see why self-driving cars shouldn't be required to be insured either.
In this case, we might say that the manufacturer has a much stronger responsibility to keep their devices under control than in the case of, say, a typical PC where the user assumes more of that responsibility. The less freedom you give your users, the more power you reserve for yourself. That power should come with corresponding responsibilities.
For example:
- Mandatory security auditing of all pre-installed software
- Mandatory security updates for X years
- Mandatory insurance for damages caused by vulnerabilities in your products
Allow some of these requirements to be met by reusing previously audited and/or independently maintained software, giving manufacturers an incentive to stick with well-tested standard components. Waive some or all of the requirements if the device is allowed to be used as a general-purpose computer and/or all the software is freely available.
Best case scenario: we get routers and TVs labeled "Red Hat Embedded Linux inside: security updates guaranteed for 10 years."
As long as the industry is allowed to come to these SLA-like stamps on their own, on a per product basis, without government regulation breathing down their neck, this is exactly the way to go. IoT is so wide, there is no such thing as a "one size fits all". Any talk about across the board rules stinks of missing this obvious reality.
Nowadays, it's cheaper to stick a generic ARM SoC in your product and install a LAMP stack on it. It's also easier to find cheap developers that way. My router is just a bunch of CGI scripts running on an outdated Linux distro.
Why should they make secure code if it's just going to be fixed for them?
Also, where's the incentive for lawmakers to regulate IoT security if less people are affected?
The vigilante concept implies some known disregard or dismissal for the current law/powers that be for whatever reason the vigilante is motivated by. Add in the vast number of products made in jurisdictions where regulations aren't well enforced or can be circumvented easily, and soon it starts to look a bit dire to wait for the proper authorities to work.
I don't really know what to think about the Hajime botnet, but their motives are pretty easily understood.
I recently saw an IoT room humidifier... Really?! How badly do you need to humidifier your (presumably unoccupied) room remotely? My garage door opener was internet-capable until I disable it. Some objects having remote accessibility makes sense but a lot of it is wow-factor marketing.
There is a large market of people who have property too large to spend walking around all day turning on and off devices to keep everything copacetic. Simple, arguably stupid, devices with IoT capability can greatly reduce this. Then you move into any application slightly larger than a personal home and the power of managing all these devices with software at scale becomes immense.
Specifically for the IoT room humidifier, I've seen such things in labs studying bugs or other exotic life that needs proper controls. These labs are setup by scientists who are just trying to get the conditions ideal and keep them that way and becomes an interesting mix of industrialized equipment and odd one-offs like a connected humidifier.
I hope that this activity is being sponsored by victims of botnets or their governments to reduce malicious infections, since the Internet of $#!^ has no incentive. This may be the best case scenario.
You describe the worst case scenario. I hope you're wrong, but only time will tell.
Seems like his unmasking by krebsonsecurity must have scared the crap out of him and he's now realized how stupid his pursuits were. May also be trying to find a way to lower the impending charges that will likely come.
Plus, if his motivation was to take over other botnets, to earn some hacker street cred then what better way to win the ultimate battle by making sure no one else can hack into these devices again?
Some countries:
- Ukraine; Region Vinnyts’ka Oblast’ /16
- Iran, Islamic Republic of; Region Tehran /16
- Germany Virtela Communications Inc Amsterdam, NL POP /16
- South Africa; Region Gauteng /16
Then:
- General Electric's /8
- both Hewlett-Packard's /8
- US Postal Service's /8
and finally all of the US Department of Defence (obviously)
I would have thought HP would be a goldmine seeing as they put anything and everything on public, proxied IP's. And why not avoid Xerox, Apple, and CIA subnets too while you're at it?
Krebs has a more detailed writeup on this for anyone interested in reading more: https://security.rapiditynetworks.com/publications/2016-10-1...